| 45991 |
2020-10-21 13:25
|
document.doc cc6c4031b59d182755ae188c7f66ad7e
LokiBot Malware download VirusTotal Malware c&c Malicious Traffic exploit crash unpack itself malicious URLs Windows Exploit Trojan DNS crashed |
2
http://asdfghjklzxcvbnmmnbvcxzlkjhgfdsapoiuytre.ydns.eu/chang.exe
http://magicview.ga/chang/gate.php - mailcious
|
5
magicview.ga(46.173.218.219) - mailcious
asdfghjklzxcvbnmmnbvcxzlkjhgfdsapoiuytre.ydns.eu(103.133.108.6)
164.124.101.2
46.173.218.219 - suspicious
103.133.108.6 - suspicious
|
11
ET INFO DNS Query for Suspicious .ga Domain
ET MALWARE Trojan Generic - POST To gate.php with no referer
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET INFO HTTP POST Request to Suspicious *.ga Domain
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET POLICY PE EXE or DLL Windows file download HTTP
|
|
5.0 |
M |
24 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45992 |
2020-10-21 13:23
|
vbc.exe ed3e155b736c7f072cd1358938e9c046
VirusTotal Malware Check memory Checks debugger buffers extracted Creates executable files unpack itself AppData folder malicious URLs crashed |
|
1
|
|
|
3.8 |
M |
18 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45993 |
2020-10-21 11:41
|
doument_f.doc 66ceeaa89b207eceac70097eb38a7a64
LokiBot Malware download VirusTotal Malware c&c Malicious Traffic exploit crash unpack itself malicious URLs Windows Exploit DNS crashed Downloader |
2
http://kregmartlime.ga/main/mode/vbc.exe - malware
http://crestmart.ga/main/l09/US/mode.php - mailcious
|
4
crestmart.ga(46.173.218.219) - mailcious
kregmartlime.ga(46.173.218.219) - malware
164.124.101.2
46.173.218.219 - suspicious
|
11
ET INFO DNS Query for Suspicious .ga Domain
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET INFO HTTP POST Request to Suspicious *.ga Domain
ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Fake 404 Response
ET POLICY PE EXE or DLL Windows file download HTTP
|
|
5.0 |
M |
26 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45994 |
2020-10-21 11:30
|
vbc.exe ed3e155b736c7f072cd1358938e9c046
VirusTotal Malware Check memory Checks debugger buffers extracted Creates executable files unpack itself AppData folder malicious URLs crashed |
|
|
|
|
3.8 |
M |
18 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45995 |
2020-10-21 10:45
|
Bsa0EU8qz4h.exe 5ff52ab6d0ea008d5863ac2ebe443f66
Malware Malicious Traffic RWX flags setting unpack itself malicious URLs sandbox evasion Windows Advertising ComputerName Remote Code Execution DNS Cryptographic key |
1
http://59.148.253.194:8080/RgpXGY1vrrEKcRP/ciDkjur/diWefO1oWfpWLv0/vpusga4zLG/gDRvQLY/pEoR0CpyXrsqh2hh/ - mailcious
|
3
164.124.101.2
173.68.199.157 - suspicious
59.148.253.194 - suspicious
|
|
|
6.6 |
M |
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45996 |
2020-10-21 10:38
|
https://itravel.co.tz/Img/VKO.... 09cebe17b568ad619a95aa0d868db2b9
Dridex Malware Code Injection unpack itself Windows utilities malicious URLs Tofsee Windows |
|
3
itravel.co.tz(160.153.133.172)
160.153.133.172
164.124.101.2
|
3
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex
|
|
2.2 |
|
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45997 |
2020-10-21 10:37
|
https://itravel.co.tz/Img/docu... 28fbc92abd52bd871cfa322673390621
Dridex VirusTotal Malware Code Injection RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
1
http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml
|
4
itravel.co.tz(160.153.133.172)
117.18.232.200 - suspicious
160.153.133.172
164.124.101.2
|
3
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex
|
|
4.6 |
|
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45998 |
2020-10-21 10:37
|
doument_f.doc 66ceeaa89b207eceac70097eb38a7a64
LokiBot Malware download VirusTotal Malware c&c Malicious Traffic exploit crash unpack itself malicious URLs Windows Exploit DNS crashed Downloader |
2
http://crestmart.ga/main/l09/US/mode.php
http://kregmartlime.ga/main/mode/vbc.exe
http://crestmart.ga/main/l09/US/mode.php
|
4
crestmart.ga(46.173.218.219)
kregmartlime.ga(46.173.218.219)
164.124.101.2
46.173.218.219
|
11
ET INFO DNS Query for Suspicious .ga Domain
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET INFO HTTP POST Request to Suspicious *.ga Domain
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile
ET POLICY PE EXE or DLL Windows file download HTTP
|
|
5.0 |
|
26 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45999 |
2020-10-21 10:00
|
word.pif 794c1b3f3a58594f247487bcb0690e8f
VirusTotal Malware Buffer PE suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs IP Check Windows ComputerName DNS Cryptographic key DDNS |
1
|
5
waynegriffin.publicvm.com(104.244.74.228)
ip-api.com(208.95.112.1)
104.244.74.228
164.124.101.2
208.95.112.1
|
1
ET POLICY External IP Lookup ip-api.com
|
|
12.6 |
M |
55 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46000 |
2020-10-21 09:55
|
035708552.doc 9bc89e09c2f9d3532490809a26ff2126
Vulnerability VirusTotal Malware Malicious Traffic ICMP traffic unpack itself malicious URLs Tofsee DNS |
2
http://188.226.165.170:8080/sUMLSLn5QPY86TXZUlU/tt66ph/moPEwTi/74gIsQHK/Nnq4b/MsmOT9UTSVXPf4/ - mailcious
https://luofox.com/wp-admin/fpTWdJzQR/ - mailcious
|
7
luofox.com(106.54.225.198) - mailcious
104.131.144.215 - suspicious
106.54.225.198 - suspicious
164.124.101.2
188.226.165.170 - suspicious
5.2.246.108 - suspicious
91.121.87.90 - suspicious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.6 |
M |
22 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46001 |
2020-10-21 09:50
|
560120.jpg.exe 0ad85c29dbce9562804072147e7edf0f
VirusTotal Malware AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process AppData folder malicious URLs Ransomware Windows Tor ComputerName Cryptographic key crashed |
|
1
|
|
|
13.2 |
|
20 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46002 |
2020-10-21 09:44
|
IncomeTax-Payment-Receipt.exe b6c7d6070550125b8afc5e885497584a
AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk WriteConsoleW VM Disk Size Check human activity check Windows |
|
1
|
|
|
9.0 |
|
42 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46003 |
2020-10-21 09:42
|
INV_54907087.doc 7b57c2e543a5c68eb97c2c3814f753e9
Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Windows DNS |
2
http://75.188.96.231/ofPdu0LE/ - mailcious
http://nursefreedomsystem.com/cgi-bin/eYae/ - malware
|
4
nursefreedomsystem.com(148.72.3.169) - malware
148.72.3.169 - suspicious
164.124.101.2
75.188.96.231 - suspicious
|
4
ET POLICY Terse Named Filename EXE Download - Possibly Hostile
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE - Served Attached HTTP
|
|
5.2 |
M |
21 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46004 |
2020-10-21 09:40
|
IncomeTax-Payment-Receipt.exe b6c7d6070550125b8afc5e885497584a
AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk WriteConsoleW VM Disk Size Check human activity check Windows |
|
1
|
|
|
9.0 |
|
42 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46005 |
2020-10-21 09:38
|
xADus3db3.exe 07ba84898b8694b57af73fac693f467e
VirusTotal Malware Malicious Traffic RWX flags setting unpack itself malicious URLs sandbox evasion Windows Advertising ComputerName Remote Code Execution DNS Cryptographic key |
1
http://75.188.96.231/TuyUqyv5/M31okGeXTuoP4a/HBqeBSTDQdb1uDU/kPvZ/kzvWwAo/ - mailcious
|
2
164.124.101.2
75.188.96.231 - suspicious
|
|
|
6.0 |
M |
8 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|