45931 |
2020-10-24 21:16
|
aa.exe 34bbaf88d62ba189eb03bd77d951bd6d suspicious privilege Check memory Checks debugger unpack itself ComputerName |
|
|
|
|
1.4 |
|
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45932 |
2020-10-24 21:12
|
3415201.png.exe 8ae42eb5c0a95502f49a77dada2c28c6 AutoRuns Code Injection Check memory buffers extracted unpack itself Windows utilities Detects VMWare suspicious process malicious URLs sandbox evasion WriteConsoleW VMware Windows Browser ComputerName crashed |
|
|
|
|
8.6 |
|
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45933 |
2020-10-24 20:45
|
document.doc c442eddb89f85c2c9aca3a7155413b0e VirusTotal Malware Malicious Traffic exploit crash unpack itself malicious URLs Windows Exploit DNS crashed Downloader |
1
http://75.127.1.211/svch/vbc.exe
|
1
75.127.1.211 - suspicious
|
6
ET INFO Executable Download from dotted-quad Host ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET POLICY PE EXE or DLL Windows file download HTTP ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
5.2 |
|
23 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45934 |
2020-10-23 20:36
|
presh.exe 0a9d84384de463aabdecb558364b7fb8 VirusTotal Malware Buffer PE suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs |
1
http://www.zekmer.com/glt/?v4=z+jsdghqXIBzHzcwNQBJFFUB20Iq6ajocFUFpR4BfVUNFKQjr26H9Gtmme6BTxiiwmG9c7BY&Hp=V48HzvXX
|
4
www.zekmer.com(213.186.33.5) www.organizationfun.net(109.238.192.244) 109.238.192.244 213.186.33.5 - suspicious
|
|
|
12.2 |
M |
32 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45935 |
2020-10-23 20:34
|
uzo.exe 48520b30c57caafbf360c5e71920b82a VirusTotal Malware Buffer PE suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs DNS |
2
http://www.videosdownloader.world/pna/?Qzr=lCkM/WNlHDQhPNNCLgigIn5TsqjRkZBYQe3/3x3aWICa8ZqoM9hoiIzVhwhkLA/ae94goVfc&MJBx=FdCtDF7XaZvxp8w0 http://www.mataangin.net/pna/?Qzr=o/AJFgPg/rbDqSsFRatFNqFF87My87PbRraUcI3XxD6SDEHBVw/9QUHgwqVD98MMlV6r5EQQ&MJBx=FdCtDF7XaZvxp8w0
|
4
www.videosdownloader.world(104.31.70.123) www.mataangin.net(216.58.197.147) 74.125.203.121 104.31.70.123 - suspicious
|
2
ET INFO Observed DNS Query to .world TLD ET INFO HTTP Request to Suspicious *.world Domain
|
|
9.6 |
M |
9 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45936 |
2020-10-23 20:24
|
vbc.exe fcba8b1c5716461bba1273bfb0c2b825 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs Ransomware Windows Browser Tor Email ComputerName Cryptographic key Software crashed |
|
|
|
|
13.2 |
M |
29 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45937 |
2020-10-23 20:02
|
uzo.exe 48520b30c57caafbf360c5e71920b82a VirusTotal Malware Buffer PE suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs |
|
|
|
|
8.8 |
M |
9 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45938 |
2020-10-23 20:00
|
presh.exe 0a9d84384de463aabdecb558364b7fb8 VirusTotal Malware Buffer PE suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs |
|
|
|
|
10.4 |
M |
32 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45939 |
2020-10-23 11:10
|
inf-2020_10_23-EJ505.doc 1d5be9c83557b664dc292323fc4ec573 Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Tofsee DNS |
5
http://autodidactai.com/wp-content/5SF/ http://primaage.com/wp-admin/is/ http://uvibrands.com/QIG/ http://177.107.79.214:8080/xnoNI2qo11i3D/3aNkn/XcAA7MF7AWKL4LMEiEf/9NYV9VrLE/Mb8iWJuY/sncmOVN9EXFxv/ https://cs.vitalero.com/wp-includes/Vf/
|
11
cs.vitalero.com(89.221.212.63) morrobaydrugandgift.com(46.17.175.19) primaage.com(103.8.25.135) uvibrands.com(172.67.155.28) autodidactai.com(104.31.77.164) 177.107.79.214 103.8.25.135 - suspicious 46.17.175.19 - suspicious 104.31.77.164 104.18.48.233 89.221.212.63
|
3
SURICATA TLS invalid record type SURICATA TLS invalid record/traffic SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.2 |
M |
27 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45940 |
2020-10-23 10:57
|
X_22195069.doc d61a47be392a0a7af4b6777057503911 Vulnerability VirusTotal Malware Report Malicious Traffic unpack itself malicious URLs Tofsee Windows DNS |
3
http://www.chapelknollestates.com/cgi-bin/Xr9RkLq/ - malware http://96.126.101.6:8080/eTYkX/5Fl9s5owHWh9BD6sP6/ - mailcious https://rallyemas.com/wp-content/x51/
|
8
www.chapelknollestates.com(131.153.44.4) - malware rallyemas.com(88.99.145.163) swiftbusinesspay.com(68.66.248.54) - malware 96.126.101.6 - suspicious 88.99.145.163 200.116.145.225 - suspicious 131.153.44.4 - suspicious 68.66.248.54 - suspicious
|
7
SURICATA TLS invalid record type SURICATA TLS invalid record/traffic SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET CNC Feodo Tracker Reported CnC Server group 13 ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET INFO EXE - Served Attached HTTP
|
|
6.2 |
M |
21 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45941 |
2020-10-23 10:46
|
t.exe c7d0c34935ed91bda9d99688b4cd1fe3 VirusTotal Malware Report Malicious Traffic RWX flags setting unpack itself malicious URLs sandbox evasion Windows Advertising ComputerName Remote Code Execution DNS Cryptographic key |
1
http://96.126.101.6:8080/d8HFt/Wi9QIuN1Noi0x0/ - mailcious
|
2
96.126.101.6 - suspicious 200.116.145.225 - suspicious
|
1
ET CNC Feodo Tracker Reported CnC Server group 13
|
|
7.4 |
M |
14 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45942 |
2020-10-23 10:45
|
uu1hTTn1h.exe 10ac7570e15e05eeeda62fcafca1cb9f VirusTotal Malware Malicious Traffic RWX flags setting unpack itself malicious URLs sandbox evasion Windows Advertising ComputerName Remote Code Execution DNS Cryptographic key |
1
http://188.226.165.170:8080/DsKr19C9vITeWAXHSZ/ - mailcious
|
2
188.226.165.170 - suspicious 78.90.78.210
|
|
|
7.4 |
M |
14 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45943 |
2020-10-23 10:35
|
photos.exe 7fe46c0cd8eb73f3d51c17eeda16bdf9 VirusTotal Malware |
|
|
|
|
1.2 |
M |
23 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45944 |
2020-10-23 10:34
|
0488939.doc 3f0d1297b898cc4b868d373bd3b1f38d Vulnerability VirusTotal Malware Malicious Traffic ICMP traffic unpack itself malicious URLs Tofsee Windows DNS |
5
http://allcannabismeds.com/unraid-map/xcGN/ http://stopinfo.vhostgo.com/info3.html?data=jiafunongye.com%2Fapplication%2FNJ3Ta¬e=%E7%97%85%E6%AF%92%E9%93%BE%E6%8E%A5%E6%9C%AA%E5%88%A0%E9%99%A4&type=1 http://amarteargentina.com.ar/wp-admin/GOAvrV/ http://jiafunongye.com/application/NJ3Ta/ https://acheterdrogues.com/wp-admin/m/
|
13
hcareconcepts.com(51.81.109.122) amarteargentina.com.ar(66.97.40.114) - mailcious jiafunongye.com(211.149.252.72) - mailcious allcannabismeds.com(35.208.69.64) - malware acheterdrogues.com(104.18.49.158) stopinfo.vhostgo.com(211.149.246.250) 35.208.69.64 - suspicious 78.90.78.210 211.149.246.250 66.97.40.114 - suspicious 172.67.186.189 211.149.252.72 - suspicious 51.81.109.122
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET INFO EXE - Served Attached HTTP
|
|
6.8 |
|
30 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45945 |
2020-10-22 23:24
|
Mssz6xtWX5orm7o1nlYg.exe ff2ce8b5a2e8f56035f0fd2741e9d45e VirusTotal Malware PDB Malicious Traffic RWX flags setting unpack itself malicious URLs sandbox evasion Windows Advertising ComputerName Remote Code Execution DNS Cryptographic key |
1
http://167.114.153.111:8080/gtG28g/ynMKzV9XZyPmE/O5cAFtAz9y5UkFddW5U/xxPbLWGI0rztF/Faf9AW0b/ - mailcious
|
2
208.180.207.205 - suspicious 167.114.153.111 - suspicious
|
|
|
8.0 |
M |
54 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|