| 45886 |
2020-10-27 17:33
|
udi.exe 6c928c0bb16fbe2a4b655cbbdd08c226
Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces malicious URLs IP Check Tofsee Ransomware Windows Browser Tor Email ComputerName Cryptographic key Software crashed keylogger |
2
http://crt.comodoca.com/COMODORSAAddTrustCA.crt
https://api.ipify.org/
|
4
api.ipify.org(184.73.247.141)
crt.comodoca.com(91.199.212.52)
91.199.212.52
54.235.83.248
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
15.2 |
M |
22 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45887 |
2020-10-27 17:33
|
Pu.exe 67b15c0cca8d63bc909cc6d9a97ff36b
VirusTotal Malware Malicious Traffic RWX flags setting unpack itself malicious URLs sandbox evasion Windows Advertising ComputerName DNS Cryptographic key |
1
http://61.118.67.173/rx1kpHQz6AyHyLdYTa/
|
1
|
|
|
5.8 |
|
6 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45888 |
2020-10-27 14:30
|
Pu.exe 67b15c0cca8d63bc909cc6d9a97ff36b
Malware Malicious Traffic RWX flags setting unpack itself malicious URLs sandbox evasion Windows Advertising ComputerName DNS Cryptographic key |
1
http://61.118.67.173/kkGGN/eVWONrKSMxXKDwiXoI/
|
1
|
|
|
5.4 |
|
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45889 |
2020-10-27 14:23
|
October Invoice.doc 6417e13118cf88c3a42ed070cae0e8ce
Vulnerability Malware Malicious Traffic unpack itself malicious URLs Tofsee DNS |
2
http://61.118.67.173/crbyOZ4qgH8lU9f9/WP5Um4j/sZ9b6WRDmnWJJFgvb/DDSkxjWLp9abnuf/hzkTOA/
https://cardandev.com/balancedteens/N2aAqwmfux/
|
3
cardandev.com(67.43.4.115)
61.118.67.173
67.43.4.115
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.4 |
|
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45890 |
2020-10-27 14:19
|
ZROO26A9.exe 52a32baeffe4eeaf585965700d174832
VirusTotal Malware Malicious Traffic RWX flags setting unpack itself malicious URLs sandbox evasion Windows Advertising ComputerName DNS Cryptographic key |
1
http://61.118.67.173/1nUT/wRmpHv/UUgQPiqQLluBThrD4/TTgIjadHETlbQp/RflYdpG86/
|
1
|
|
|
6.6 |
|
21 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45891 |
2020-10-27 14:15
|
F62BowAeOHaWkJ.exe 42e2d1d77e7b06eeefeb06a779b8dd75
VirusTotal Malware RWX flags setting unpack itself malicious URLs sandbox evasion Windows Advertising ComputerName DNS Cryptographic key |
1
http://154.91.33.137:443/kbjM3Fxq6/Rqvh0muenJLyWpBlja/b3UlyWbtoGMYy7r/OAeG8e/ - mailcious
|
1
154.91.33.137 - suspicious
|
1
ET POLICY HTTP traffic on port 443 (POST)
|
|
5.0 |
M |
5 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45892 |
2020-10-27 14:12
|
K1kT9zB1XF12ojRWIA.exe 41de502a829823668d3f75fbc7a21b13
VirusTotal Malware Malicious Traffic RWX flags setting unpack itself malicious URLs sandbox evasion Windows Advertising ComputerName DNS Cryptographic key |
1
http://107.170.146.252:8080/pvfiiNZk33J4sAsus3/ - mailcious
|
2
107.170.146.252 - suspicious
67.163.161.107 - suspicious
|
|
|
7.8 |
M |
13 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45893 |
2020-10-27 14:08
|
NUl1riRhXoQYQ.exe a895ac0dd9f7ce54053c8933f59b721a
Malware Report Malicious Traffic RWX flags setting unpack itself malicious URLs sandbox evasion Windows Advertising ComputerName DNS Cryptographic key |
1
http://94.23.62.116:8080/iiXhvXTg5cLJmqE8i8/L6elec9pQxiaVZj/WMc0T1Y277JtaJMtA3/ - mailcious
|
2
94.23.62.116 - suspicious
81.214.253.80 - suspicious
|
1
ET CNC Feodo Tracker Reported CnC Server group 22
|
|
7.2 |
M |
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45894 |
2020-10-27 10:21
|
F62BowAeOHaWkJ.exe 42e2d1d77e7b06eeefeb06a779b8dd75
VirusTotal Malware RWX flags setting unpack itself malicious URLs sandbox evasion Windows Advertising ComputerName DNS Cryptographic key |
1
http://154.91.33.137:443/c72v3Zeo/Hx6ybCdTSwd1exL/wl297yw/DW5THKORKqMHv/HodKTEQvhVD/ - mailcious
|
1
154.91.33.137 - suspicious
|
1
ET POLICY HTTP traffic on port 443 (POST)
|
|
5.0 |
M |
5 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45895 |
2020-10-27 09:59
|
jCEfNBgNKuQdfM.exe 42f8fed7b14d4181d8486e4c4448830c
VirusTotal Malware Report RWX flags setting unpack itself malicious URLs sandbox evasion Windows Advertising ComputerName Remote Code Execution DNS Cryptographic key |
1
http://200.116.145.225:443/kWXwO65W/g6AFo5WoDxht/OfPqNH8GoVlOoO/9MRqmaq8EaJk/RQYVp3Hi7bji/ - mailcious
|
1
200.116.145.225 - suspicious
|
2
ET CNC Feodo Tracker Reported CnC Server group 13
ET POLICY HTTP traffic on port 443 (POST)
|
|
5.8 |
M |
55 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45896 |
2020-10-27 09:54
|
vr1qunng5d.exe 88e7ebf0175b0aa6827e063c46203e58
VirusTotal Malware Malicious Traffic ICMP traffic RWX flags setting unpack itself malicious URLs sandbox evasion Windows Advertising ComputerName Remote Code Execution DNS Cryptographic key |
1
http://51.38.50.144:8080/fI5M7pvAX3v4qDKi/Df5qaeH04Fd5bPmKX6R/WXQhIPA4qeos/ - mailcious
|
4
188.226.165.170 - suspicious
188.40.170.197 - suspicious
51.38.50.144 - suspicious
78.90.78.210 - suspicious
|
|
|
9.4 |
M |
46 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45897 |
2020-10-27 09:22
|
BDK_100120_VLM_102720.doc 34cf2c044e2803cb74c2439f759d3dcc
Vulnerability VirusTotal Malware Malicious Traffic ICMP traffic unpack itself malicious URLs Tofsee |
5
http://goodherbwebmart.com/
https://arpe-samois.fr/wp-content/eQCw/ - mailcious
https://braceyourself.us/wp-admin/J/ - mailcious
https://fitthemes.com/wordpress-5.3.2/O/ - mailcious
https://nhatcuong.xyz/wp-content/Szx94QD/ - mailcious
|
18
braceyourself.us(139.59.104.96) - mailcious
carl99a.com(184.154.69.125) - malware
nhatcuong.xyz(104.31.92.104) - mailcious
fitthemes.com(172.67.177.180) - mailcious
goodherbwebmart.com(141.98.10.47)
nakanoyoi5.com(150.95.54.162) - malware
360digest.beyondb-school.com(44.228.91.252) - mailcious
arpe-samois.fr(155.133.142.4) - mailcious
seitaiken.net(150.95.54.237) - malware
44.228.91.252 - suspicious
184.154.69.125 - suspicious
172.67.177.180 - suspicious
150.95.54.237 - suspicious
139.59.104.96 - suspicious
155.133.142.4 - suspicious
141.98.10.47
150.95.54.162 - suspicious
104.31.93.104
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA TLS invalid record type
SURICATA TLS invalid record/traffic
|
|
5.0 |
M |
21 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45898 |
2020-10-27 09:07
|
K1kT9zB1XF12ojRWIA.exe 41de502a829823668d3f75fbc7a21b13
Malware Malicious Traffic RWX flags setting unpack itself malicious URLs sandbox evasion Windows Advertising ComputerName DNS Cryptographic key |
1
http://107.170.146.252:8080/DLODBB/yUfsWO4bGKq/XZBWc27I/
|
2
107.170.146.252
67.163.161.107
|
|
|
7.2 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45899 |
2020-10-27 08:52
|
INV_XI2FZ0I0ME.doc 933023dcade70fbac0a87f509997a9b1
Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Tofsee |
5
http://goodherbwebmart.com/
https://arpe-samois.fr/wp-content/eQCw/
https://braceyourself.us/wp-admin/J/
https://fitthemes.com/wordpress-5.3.2/O/
https://nhatcuong.xyz/wp-content/Szx94QD/
|
18
braceyourself.us(139.59.104.96)
carl99a.com(184.154.69.125)
nhatcuong.xyz(172.67.200.82)
fitthemes.com(172.67.177.180)
goodherbwebmart.com(141.98.10.47)
nakanoyoi5.com(150.95.54.162)
360digest.beyondb-school.com(44.228.91.252)
arpe-samois.fr(155.133.142.4)
seitaiken.net(150.95.54.237)
44.228.91.252
184.154.69.125
172.67.177.180
104.31.92.104
150.95.54.237
139.59.104.96
155.133.142.4
141.98.10.47
150.95.54.162 - suspicious
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA TLS invalid record type
SURICATA TLS invalid record/traffic
|
|
4.2 |
|
21 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45900 |
2020-10-27 07:30
|
https://redesuperpops.com.br/k... 74558ab0b6c9a3d2202b149413178595
Dridex VirusTotal Malware Code Injection RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
|
3
redesuperpops.com.br(192.185.216.181) - mailcious
192.185.216.181 - suspicious
117.18.232.200 - suspicious
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex
|
|
4.2 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|