46081 |
2020-10-19 11:16
|
https://docsecure.top/xls/0099... fd26ed0c60e78722e574799704209d23 Vulnerability VirusTotal Malware MachineGuid Code Injection Checks debugger exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
2
http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml https://docsecure.top/xls/00999212.xls
|
2
117.18.232.200 8.209.75.30
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET DNS Query to a *.top domain - Likely Hostile
|
|
7.0 |
M |
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46082 |
2020-10-19 11:16
|
https://docsecure.top/111.exe ff47e6eb2602178a4306e4fcecb15b7d Dridex TrickBot ENERGETIC BEAR VirusTotal Malware Report suspicious privilege Code Injection buffers extracted Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Tofsee Kovter Windows Exploit ComputerName DNS crashed |
2
http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml https://docsecure.top/111.exe
|
7
103.36.48.103 103.76.169.213 117.18.232.200 195.123.240.113 8.209.75.30 85.204.116.173 89.223.126.186
|
8
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET CNC Feodo Tracker Reported CnC Server group 13 ET CNC Feodo Tracker Reported CnC Server group 24 ET DNS Query to a *.top domain - Likely Hostile ET CNC Feodo Tracker Reported CnC Server group 1 ET CNC Feodo Tracker Reported CnC Server group 23 ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)
|
|
8.4 |
|
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46083 |
2020-10-19 11:13
|
OperaSetup.exe ff4661ec5bef09ac7fcf479c933d2d81 Malware Malicious Traffic Check memory Checks debugger Creates executable files unpack itself AppData folder AntiVM_Disk VM Disk Size Check Tofsee Remote Code Execution DNS |
5
https://autoupdate.geo.opera.com/v2/netinstaller/Stable/windows/x64 https://desktop-netinstaller-sub.osp.opera.software/v1/binary https://autoupdate.geo.opera.com/geolocation/ https://desktop-netinstaller-sub.osp.opera.software/v1/binary https://desktop-netinstaller-sub.osp.opera.software/v1/binary https://desktop-netinstaller-sub.osp.opera.software/v1/binary https://desktop-netinstaller-sub.osp.opera.software/v1/binary https://download.opera.com/download/get/?id=51078&autoupdate=1&ni=1&stream=stable&utm_campaign=(direct)_via_opera_com_https&utm_medium=doc&utm_site=opera_com&utm_source=(direct)_via_opera_com&utm_tryagain=yes&niuid=9ff42522-a862-4912-b63e-6c2e545f3ad4 https://desktop-netinstaller-sub.osp.opera.software/v1/binary https://desktop-netinstaller-sub.osp.opera.software/v1/binary https://desktop-netinstaller-sub.osp.opera.software/v1/binary https://download.opera.com/download/get/?id=51081&autoupdate=1&ni=1 https://desktop-netinstaller-sub.osp.opera.software/v1/binary https://desktop-netinstaller-sub.osp.opera.software/v1/binary https://desktop-netinstaller-sub.osp.opera.software/v1/binary https://desktop-netinstaller-sub.osp.opera.software/v1/binary https://desktop-netinstaller-sub.osp.opera.software/v1/binary https://desktop-netinstaller-sub.osp.opera.software/v1/binary
|
4
107.167.110.217 107.167.119.133 23.43.9.151 82.145.216.19
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.4 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46084 |
2020-10-19 10:55
|
https://docsecure.top/xls/0051... 1857ec35df81a3cb7fe02c9382ba3be7 Dridex TrickBot Vulnerability VirusTotal Malware MachineGuid Code Injection Malicious Traffic Checks debugger exploit crash unpack itself Windows utilities Tofsee Kovter Windows Exploit DNS crashed |
3
http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml https://docsecure.top/xls/00517069.xls https://194.36.191.177/sim/sim.php?Rd=Nb&Rf=fb5f7e13&Rk=test22-PC@@TEST22-PC@@test22@@*192.168.56.101%3A%3A%5B00000007%5D%20Intel%28R%29%20PRO/1000%20MT%20Desktop%20Adapter@@Standalone%20Workstation@@@@no%20LDAP%3B%3ASUM%3A0%3A&1623214863
|
3
117.18.232.200 194.36.191.177 8.209.75.30
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET DNS Query to a *.top domain - Likely Hostile ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex ET POLICY Self Signed SSL Certificate (SomeOrganizationalUnit)
|
|
7.2 |
M |
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46085 |
2020-10-19 10:54
|
Document13177.xlsb 136d90dfdc8d28ccfc090f1d09c9bd18 unpack itself |
|
|
|
|
0.8 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46086 |
2020-10-19 10:53
|
Document13177.xlsb 136d90dfdc8d28ccfc090f1d09c9bd18 unpack itself malicious URLs |
|
|
|
|
1.6 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46087 |
2020-10-19 10:53
|
Document13177.xlsb 136d90dfdc8d28ccfc090f1d09c9bd18 Dridex Malware Creates executable files unpack itself malicious URLs Tofsee DNS |
1
http://solosur.com/1610.gif
|
1
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex
|
|
4.6 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46088 |
2020-10-19 10:47
|
8yPNq.exe 72f119c6e945eace409d20d7e6973804 Malware PDB Malicious Traffic RWX flags setting unpack itself malicious URLs sandbox evasion Windows Advertising ComputerName Remote Code Execution DNS Cryptographic key |
1
http://208.180.207.205/Q0R9VIMz/
|
1
|
|
|
5.8 |
|
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46089 |
2020-10-19 10:46
|
pegasun.exe e202bc7ccc1682624be91fe0b86d10ce MachineGuid Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself AppData folder malicious URLs AntiVM_Disk VM Disk Size Check human activity check installed browsers check Windows Browser ComputerName Cryptographic key |
|
|
|
|
5.8 |
M |
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46090 |
2020-10-19 10:42
|
http://google.com 5c8e481fca1860d15244132ca413e8ea Code Injection Creates executable files RWX flags setting unpack itself Windows utilities Tofsee Windows DNS |
10
http://ssl.gstatic.com/gb/images/i1_1967ca6a.png http://www.google.com/ http://www.google.com/favicon.ico http://google.com/ http://www.google.com/images/branding/googlelogo/1x/googlelogo_white_background_color_272x92dp.png https://www.google.com/images/hpp/Chrome_Owned_96x96.png https://id.google.com/verify/AHGvNow70cKTzJ4YAiZ9bQ-bGyUfv6hsoNbwOSaa3e4cSAOdXAQTzx4UfvQpPWuCQmp-bGiRcdgi8qIkwFg0Kwf0zip6VLRqLyFEfG-W5XRBBI3VW3PX5w https://www.gstatic.com/og/_/js/k=og.og2.en_US.aNy2w8E-FIo.O/rt=j/m=def/exm=in,fot/d=1/ed=1/rs=AA2YrTtYt4kBIDdFLRAEBm_mSuG9eV0NzA https://www.google.com/gen_204?atyp=i&zx=1603071699078&ogsr=1&ei=3O6MX86NFJGS0gSGmo-QDw&ct=7&cad=i&id=19020306&loc=&prid=1&ogd=co.kr&ogprm=up&vis=1 https://apis.google.com/_/scs/abc-static/_/js/k=gapi.gapi.en.40L1XIQnUK4.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/rs=AHpOoo87VqKnhJy5DXHDJekiAyngLi-Q2w/cb=gapi.loaded_0
|
5
172.217.161.163 172.217.174.195 172.217.174.206 172.217.24.78 216.58.200.4
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.6 |
|
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46091 |
2020-10-19 10:40
|
http://google.com 7c5b5c860e570c3a102b9ad3b70d5250 Code Injection Creates executable files RWX flags setting unpack itself Windows utilities Tofsee Windows DNS |
14
http://ssl.gstatic.com/gb/images/i1_1967ca6a.png http://www.google.com/ http://www.google.com/favicon.ico http://google.com/ http://www.google.com/images/branding/googlelogo/1x/googlelogo_white_background_color_272x92dp.png https://www.google.com/images/hpp/Chrome_Owned_96x96.png https://id.google.com/verify/AHGvNoz67299XAAw47xz8dx2N0jUdvDfJPI-xpYa0-aMA903QE7EmGdb5HLbauvbTfQrEfQmuaVNT7l8BXkflu72YB62QyZfILm_k1UFFTLGmPcwVzPOMg https://www.gstatic.com/og/_/js/k=og.og2.en_US.aNy2w8E-FIo.O/rt=j/m=def/exm=in,fot/d=1/ed=1/rs=AA2YrTtYt4kBIDdFLRAEBm_mSuG9eV0NzA https://www.google.com/gen_204?atyp=i&zx=1603071496312&ogsr=1&ei=Eu6MX7erObG2mAXImrzYDQ&ct=7&cad=i&id=19020306&loc=&prid=1&ogd=co.kr&ogprm=up&vis=1 https://apis.google.com/_/scs/abc-static/_/js/k=gapi.gapi.en.40L1XIQnUK4.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/rs=AHpOoo87VqKnhJy5DXHDJekiAyngLi-Q2w/cb=gapi.loaded_0 https://www.gstatic.com/og/_/ss/k=og.og2.PgfxfGqQF7o.L.I9.O/m=lg/excm=in,fot/d=1/ed=1/ct=zgms/rs=AA2YrTtXOZGBi97nSWVF5_lQHggN-0axqA https://www.gstatic.com/og/_/js/k=og.og2.en_US.aNy2w8E-FIo.O/rt=j/m=lat/exm=in,fot,def/d=1/ed=1/rs=AA2YrTtYt4kBIDdFLRAEBm_mSuG9eV0NzA https://ssl.gstatic.com/gb/images/a/911e3628e6.png https://ssl.gstatic.com/gb/images/p1_e53fc7b4.png
|
6
172.217.163.228 172.217.174.195 172.217.24.78 172.217.25.3 216.58.200.67 216.58.200.78
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.6 |
|
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46092 |
2020-10-19 10:37
|
test2.hta d8c6560478cca57bb84a2c37228c44bf Code Injection RWX flags setting unpack itself Windows utilities Windows |
|
|
|
|
2.2 |
|
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46093 |
2020-10-19 10:34
|
Wkhuldcw8s2x4nsXa.exe 684ba2ea81a8e9ab031260cbf0dd5db8 VirusTotal Malware PDB Malicious Traffic RWX flags setting unpack itself malicious URLs sandbox evasion Windows Advertising ComputerName Remote Code Execution DNS Cryptographic key |
1
http://2.45.176.233/rPor/kwcwCsOqqnt/haqARQeG/
|
1
|
|
|
6.6 |
|
26 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46094 |
2020-10-19 09:29
|
eh.exe 4d0f2cb16083c2c99e05cdb59f2d3243 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs |
|
|
|
|
8.6 |
M |
27 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46095 |
2020-10-19 09:28
|
https://docsecure.top/xls/0061... 92e79228771983699fc0cfe8dfa7f407 Vulnerability VirusTotal Malware MachineGuid Code Injection Checks debugger RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
2
http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml https://docsecure.top/xls/00613486.xls
|
2
117.18.232.200 8.209.75.30
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET DNS Query to a *.top domain - Likely Hostile
|
|
7.4 |
M |
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|