| 45931 |
2020-10-24 21:16
|
aa.exe 34bbaf88d62ba189eb03bd77d951bd6d
suspicious privilege Check memory Checks debugger unpack itself ComputerName |
|
|
|
|
1.4 |
|
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45932 |
2020-10-24 21:12
|
3415201.png.exe 8ae42eb5c0a95502f49a77dada2c28c6
AutoRuns Code Injection Check memory buffers extracted unpack itself Windows utilities Detects VMWare suspicious process malicious URLs sandbox evasion WriteConsoleW VMware Windows Browser ComputerName crashed |
|
|
|
|
8.6 |
|
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45933 |
2020-10-24 20:45
|
document.doc c442eddb89f85c2c9aca3a7155413b0e
VirusTotal Malware Malicious Traffic exploit crash unpack itself malicious URLs Windows Exploit DNS crashed Downloader |
1
http://75.127.1.211/svch/vbc.exe
|
1
75.127.1.211 - suspicious
|
6
ET INFO Executable Download from dotted-quad Host
ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile
ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
5.2 |
|
23 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45934 |
2020-10-23 20:36
|
presh.exe 0a9d84384de463aabdecb558364b7fb8
VirusTotal Malware Buffer PE suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs |
1
http://www.zekmer.com/glt/?v4=z+jsdghqXIBzHzcwNQBJFFUB20Iq6ajocFUFpR4BfVUNFKQjr26H9Gtmme6BTxiiwmG9c7BY&Hp=V48HzvXX
|
4
www.zekmer.com(213.186.33.5)
www.organizationfun.net(109.238.192.244)
109.238.192.244
213.186.33.5 - suspicious
|
|
|
12.2 |
M |
32 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45935 |
2020-10-23 20:34
|
uzo.exe 48520b30c57caafbf360c5e71920b82a
VirusTotal Malware Buffer PE suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs DNS |
2
http://www.videosdownloader.world/pna/?Qzr=lCkM/WNlHDQhPNNCLgigIn5TsqjRkZBYQe3/3x3aWICa8ZqoM9hoiIzVhwhkLA/ae94goVfc&MJBx=FdCtDF7XaZvxp8w0
http://www.mataangin.net/pna/?Qzr=o/AJFgPg/rbDqSsFRatFNqFF87My87PbRraUcI3XxD6SDEHBVw/9QUHgwqVD98MMlV6r5EQQ&MJBx=FdCtDF7XaZvxp8w0
|
4
www.videosdownloader.world(104.31.70.123)
www.mataangin.net(216.58.197.147)
74.125.203.121
104.31.70.123 - suspicious
|
2
ET INFO Observed DNS Query to .world TLD
ET INFO HTTP Request to Suspicious *.world Domain
|
|
9.6 |
M |
9 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45936 |
2020-10-23 20:24
|
vbc.exe fcba8b1c5716461bba1273bfb0c2b825
Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs Ransomware Windows Browser Tor Email ComputerName Cryptographic key Software crashed |
|
|
|
|
13.2 |
M |
29 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45937 |
2020-10-23 20:02
|
uzo.exe 48520b30c57caafbf360c5e71920b82a
VirusTotal Malware Buffer PE suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs |
|
|
|
|
8.8 |
M |
9 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45938 |
2020-10-23 20:00
|
presh.exe 0a9d84384de463aabdecb558364b7fb8
VirusTotal Malware Buffer PE suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs |
|
|
|
|
10.4 |
M |
32 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45939 |
2020-10-23 11:10
|
inf-2020_10_23-EJ505.doc 1d5be9c83557b664dc292323fc4ec573
Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Tofsee DNS |
5
http://autodidactai.com/wp-content/5SF/
http://primaage.com/wp-admin/is/
http://uvibrands.com/QIG/
http://177.107.79.214:8080/xnoNI2qo11i3D/3aNkn/XcAA7MF7AWKL4LMEiEf/9NYV9VrLE/Mb8iWJuY/sncmOVN9EXFxv/
https://cs.vitalero.com/wp-includes/Vf/
|
11
cs.vitalero.com(89.221.212.63)
morrobaydrugandgift.com(46.17.175.19)
primaage.com(103.8.25.135)
uvibrands.com(172.67.155.28)
autodidactai.com(104.31.77.164)
177.107.79.214
103.8.25.135 - suspicious
46.17.175.19 - suspicious
104.31.77.164
104.18.48.233
89.221.212.63
|
3
SURICATA TLS invalid record type
SURICATA TLS invalid record/traffic
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.2 |
M |
27 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45940 |
2020-10-23 10:57
|
X_22195069.doc d61a47be392a0a7af4b6777057503911
Vulnerability VirusTotal Malware Report Malicious Traffic unpack itself malicious URLs Tofsee Windows DNS |
3
http://www.chapelknollestates.com/cgi-bin/Xr9RkLq/ - malware
http://96.126.101.6:8080/eTYkX/5Fl9s5owHWh9BD6sP6/ - mailcious
https://rallyemas.com/wp-content/x51/
|
8
www.chapelknollestates.com(131.153.44.4) - malware
rallyemas.com(88.99.145.163)
swiftbusinesspay.com(68.66.248.54) - malware
96.126.101.6 - suspicious
88.99.145.163
200.116.145.225 - suspicious
131.153.44.4 - suspicious
68.66.248.54 - suspicious
|
7
SURICATA TLS invalid record type
SURICATA TLS invalid record/traffic
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET CNC Feodo Tracker Reported CnC Server group 13
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE - Served Attached HTTP
|
|
6.2 |
M |
21 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45941 |
2020-10-23 10:46
|
t.exe c7d0c34935ed91bda9d99688b4cd1fe3
VirusTotal Malware Report Malicious Traffic RWX flags setting unpack itself malicious URLs sandbox evasion Windows Advertising ComputerName Remote Code Execution DNS Cryptographic key |
1
http://96.126.101.6:8080/d8HFt/Wi9QIuN1Noi0x0/ - mailcious
|
2
96.126.101.6 - suspicious
200.116.145.225 - suspicious
|
1
ET CNC Feodo Tracker Reported CnC Server group 13
|
|
7.4 |
M |
14 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45942 |
2020-10-23 10:45
|
uu1hTTn1h.exe 10ac7570e15e05eeeda62fcafca1cb9f
VirusTotal Malware Malicious Traffic RWX flags setting unpack itself malicious URLs sandbox evasion Windows Advertising ComputerName Remote Code Execution DNS Cryptographic key |
1
http://188.226.165.170:8080/DsKr19C9vITeWAXHSZ/ - mailcious
|
2
188.226.165.170 - suspicious
78.90.78.210
|
|
|
7.4 |
M |
14 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45943 |
2020-10-23 10:35
|
photos.exe 7fe46c0cd8eb73f3d51c17eeda16bdf9
VirusTotal Malware |
|
|
|
|
1.2 |
M |
23 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45944 |
2020-10-23 10:34
|
0488939.doc 3f0d1297b898cc4b868d373bd3b1f38d
Vulnerability VirusTotal Malware Malicious Traffic ICMP traffic unpack itself malicious URLs Tofsee Windows DNS |
5
http://allcannabismeds.com/unraid-map/xcGN/
http://stopinfo.vhostgo.com/info3.html?data=jiafunongye.com%2Fapplication%2FNJ3Ta¬e=%E7%97%85%E6%AF%92%E9%93%BE%E6%8E%A5%E6%9C%AA%E5%88%A0%E9%99%A4&type=1
http://amarteargentina.com.ar/wp-admin/GOAvrV/
http://jiafunongye.com/application/NJ3Ta/
https://acheterdrogues.com/wp-admin/m/
|
13
hcareconcepts.com(51.81.109.122)
amarteargentina.com.ar(66.97.40.114) - mailcious
jiafunongye.com(211.149.252.72) - mailcious
allcannabismeds.com(35.208.69.64) - malware
acheterdrogues.com(104.18.49.158)
stopinfo.vhostgo.com(211.149.246.250)
35.208.69.64 - suspicious
78.90.78.210
211.149.246.250
66.97.40.114 - suspicious
172.67.186.189
211.149.252.72 - suspicious
51.81.109.122
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE - Served Attached HTTP
|
|
6.8 |
|
30 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45945 |
2020-10-22 23:24
|
Mssz6xtWX5orm7o1nlYg.exe ff2ce8b5a2e8f56035f0fd2741e9d45e
VirusTotal Malware PDB Malicious Traffic RWX flags setting unpack itself malicious URLs sandbox evasion Windows Advertising ComputerName Remote Code Execution DNS Cryptographic key |
1
http://167.114.153.111:8080/gtG28g/ynMKzV9XZyPmE/O5cAFtAz9y5UkFddW5U/xxPbLWGI0rztF/Faf9AW0b/ - mailcious
|
2
208.180.207.205 - suspicious
167.114.153.111 - suspicious
|
|
|
8.0 |
M |
54 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|