45871 |
2020-10-28 09:03
|
CtjEwdljmr.exe 81f9fa473a516670504b796b8ae63d6b Malware Malicious Traffic RWX flags setting unpack itself malicious URLs sandbox evasion Windows Advertising ComputerName DNS Cryptographic key |
1
http://91.121.200.35:8080/K1uKQdxD7ph/qfR3TQwB8Gid/
|
2
179.15.102.2 91.121.200.35
|
|
|
6.4 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45872 |
2020-10-28 08:07
|
http://jiehost.com/wp-admin/6Z... fe40bfc067dd10f30aae16fc5bb543f3 Malware AutoRuns Code Injection Malicious Traffic Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Auto service malicious URLs AntiVM_Disk sandbox evasion VM Disk Size Check human activity check Windows Exploit Advertising ComputerName DNS Cryptographic key crashed |
2
http://jiehost.com/wp-admin/6ZFh6A/ http://107.170.146.252:8080/r4TdOePZcY2xOB/BX1Ae4O/gnQzBkBvpnx/ - mailcious
|
5
jiehost.com(202.95.11.52) 107.170.146.252 - suspicious 202.95.11.52 88.153.35.32 117.18.232.200 - suspicious
|
2
ET POLICY PE EXE or DLL Windows file download HTTP ET INFO EXE - Served Attached HTTP
|
|
12.8 |
M |
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45873 |
2020-10-28 07:47
|
http://www.josejuanarroyo.com/... 2e9b6b2fd1f6f1a4e7f9df6b0aefb6bb VirusTotal Malware AutoRuns Code Injection Malicious Traffic Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Auto service malicious URLs AntiVM_Disk sandbox evasion VM Disk Size Check human activity check Windows Exploit Advertising ComputerName DNS Cryptographic key crashed |
2
http://www.josejuanarroyo.com/antithetical-bulblet/l/ http://78.206.229.130/jTt9/KZwZ0vlvI7dAu2QWz/qhtQlX8dMR6/
|
4
www.josejuanarroyo.com(65.254.227.224) - mailcious 78.206.229.130 65.254.227.224 - suspicious 117.18.232.200 - suspicious
|
2
ET POLICY PE EXE or DLL Windows file download HTTP ET INFO EXE - Served Attached HTTP
|
|
12.2 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45874 |
2020-10-28 07:40
|
http://oreillyautolawsuit.com/... 0c4816564a04182f082efe99506f5f94 VirusTotal Malware Code Injection Creates executable files exploit crash unpack itself Windows utilities Windows Exploit DNS crashed Downloader |
1
http://oreillyautolawsuit.com/f3.exe
|
3
oreillyautolawsuit.com(8.209.127.167) 8.209.127.167 - suspicious 117.18.232.200 - suspicious
|
2
ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile ET POLICY PE EXE or DLL Windows file download HTTP
|
|
4.6 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45875 |
2020-10-28 07:37
|
http://103.153.79.195/0pp.exe 605eef77a212754b476a215f3b6c02f7 VirusTotal Malware Buffer PE suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files exploit crash unpack itself Windows utilities malicious URLs Windows Exploit DNS crashed |
2
http://www.tessuto.net/glt/?RP=RXCBf+kRwtR1pIzlq54zDDgrcqehmcxCBUaK6qj2AbfyZ/t9TvGN2V+NJcOiP+Lg/Slh4fLG&rVBt5x=S0D0XvJ http://103.153.79.195/0pp.exe - malware
|
5
www.tessuto.net(3.128.208.230) www.findoffline.com() 103.153.79.195 - suspicious 3.22.191.41 117.18.232.200 - suspicious
|
3
ET INFO Executable Download from dotted-quad Host ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
11.8 |
M |
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45876 |
2020-10-27 18:23
|
rep_0HHSEI8DAP5IFU0.doc f0ff84c95b97ee41cf9869d9bc25eb15 Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Tofsee DNS |
4
http://107.170.146.252:8080/jz4gNpp6m5qRXw9NLU/FbrMZTF/DHip8bMTk8WVuy4Sna/ - mailcious https://www.theginlibrary.de/wp-includes/ma/ https://toorak.ie/wp-includes/aT/ https://homewatchamelia.com/wp-admin/MQxjrRU/
|
10
www.theginlibrary.de(37.17.224.143) toorak.ie(104.31.82.230) pottershousedurban.co.za(102.130.121.16) - mailcious homewatchamelia.com(172.67.148.194) - mailcious 67.163.161.107 - suspicious 104.31.82.230 102.130.121.16 - suspicious 37.17.224.143 104.28.23.149 - suspicious 107.170.146.252 - suspicious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
6.0 |
M |
19 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45877 |
2020-10-27 18:19
|
FILE-2020_10_27-YE455729.doc e6df4c6ce89b90689352e5f18778cd5d Vulnerability VirusTotal Malware Report Malicious Traffic unpack itself malicious URLs Tofsee Windows DNS |
3
http://104.131.92.244:8080/RGc8Ihma897MD9Up/x4JW/F9mrfCWszepi3o/ http://kbppp.ilmci.com/wp-includes/z/ http://www.royalempresshair.com/wp-content/upgrade/Ete/
|
6
www.royalempresshair.com(45.79.219.198) - mailcious kbppp.ilmci.com(103.241.24.165) - mailcious 45.79.219.198 - suspicious 103.241.24.165 - suspicious 45.16.226.117 - suspicious 104.131.92.244
|
5
ET CNC Feodo Tracker Reported CnC Server group 18 ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET INFO EXE - Served Attached HTTP SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
6.0 |
|
19 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45878 |
2020-10-27 18:17
|
mT2cge6ejFx20w3Hu.exe f583ada80565e37b45785f7e35e2bec2 Malware Report Malicious Traffic RWX flags setting unpack itself malicious URLs sandbox evasion Windows Advertising ComputerName DNS Cryptographic key |
1
http://104.131.92.244:8080/UpnPUowtfqf8qspt1/Qqwr1NrLzr3LzL/
|
2
45.16.226.117 - suspicious 104.131.92.244
|
1
ET CNC Feodo Tracker Reported CnC Server group 18
|
|
6.4 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45879 |
2020-10-27 18:14
|
kung.exe 45bfc424046b617fe8d016e34e047c0a Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Browser Email ComputerName Trojan DNS Software |
1
http://magicview.ga/chang/gate.php - mailcious
|
2
magicview.ga(91.203.192.84) - mailcious 91.203.192.84 - suspicious
|
10
ET INFO DNS Query for Suspicious .ga Domain ET MALWARE Trojan Generic - POST To gate.php with no referer ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET INFO HTTP POST Request to Suspicious *.ga Domain ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Fake 404 Response
|
|
12.8 |
M |
31 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45880 |
2020-10-27 17:59
|
muo4guvow.jpg.exe a84721e4044bb7cef292b2e46393dc24 VirusTotal Malware unpack itself malicious URLs crashed |
|
|
|
|
2.2 |
|
11 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45881 |
2020-10-27 17:57
|
zzf.exe db6c083fb31ee45ab0dcfb438d15e411 PDB |
|
|
|
|
0.6 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45882 |
2020-10-27 17:57
|
U86GkXRRov.exe b86e39e2efa1d7739534e74d194d06eb Malware Malicious Traffic RWX flags setting unpack itself malicious URLs sandbox evasion Windows Advertising ComputerName DNS Cryptographic key |
1
http://61.118.67.173/4Es8r3qc8nTFF/o8D8eq/
|
1
|
|
|
5.4 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45883 |
2020-10-27 17:42
|
Fsl2uw.exe f8e613f97dfaad6b5e4f25aa9c9a52e5 VirusTotal Malware Malicious Traffic RWX flags setting unpack itself malicious URLs sandbox evasion Windows Advertising ComputerName DNS Cryptographic key |
1
http://61.118.67.173/X00DApi56EqexN/IE9i13knJe/BHOOP9/
|
1
|
|
|
5.8 |
|
6 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45884 |
2020-10-27 17:41
|
joj.exe 75c4f2a3e9f895a4d684e41edbc665b6 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces malicious URLs IP Check Tofsee Ransomware Windows Browser Tor Email ComputerName Cryptographic key Software crashed keylogger |
2
http://crt.comodoca.com/COMODORSAAddTrustCA.crt https://api.ipify.org/
|
4
api.ipify.org(50.19.252.36) crt.comodoca.com(91.199.212.52) 91.199.212.52 54.235.83.248
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
15.4 |
M |
39 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45885 |
2020-10-27 17:34
|
joj.exe 75c4f2a3e9f895a4d684e41edbc665b6 VirusTotal Malware AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces malicious URLs IP Check Tofsee Ransomware Windows Tor ComputerName crashed |
2
http://192.168.56.103:5357/da8ea474-550f-433d-b444-54d2081d1d24/ http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:2d284ad3-5648-4376-8360-b0559e35418f
|
2
api.ipify.org(184.73.247.141) 54.225.169.28
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
12.0 |
M |
39 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|