46456 |
2020-09-18 13:26
|
Qvvn5zOrG.exe b251fc29e1b72d5a29bb2eba8f9412e2 VirusTotal Malware Malicious Traffic RWX flags setting unpack itself malicious URLs sandbox evasion Windows Advertising ComputerName Remote Code Execution DNS Cryptographic key |
1
http://38.88.126.202:8080/I4F6/THttNvff9NR/AKOJY1jR2lQoORoF/
|
5
155.186.0.121 38.88.126.202 51.38.124.206 82.196.15.205 71.72.196.159
|
|
|
8.4 |
|
37 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46457 |
2020-09-18 13:24
|
FILE_IMLJN8AV0.doc e1be29a8796394531172cd0ca910f6b2 Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Tofsee Windows DNS |
2
http://carolinacanullo.com/js/hllPT/ http://71.72.196.159/atnhsPRxnJvD/0oPheFssnHmS/KX4GdOjf8jrOq/A5RyTcE7KR1Ga5fRP/S0t7gWW/
|
3
203.195.224.199 204.11.59.195 71.72.196.159
|
6
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY Terse Named Filename EXE Download - Possibly Hostile ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET INFO EXE - Served Attached HTTP ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
|
5.2 |
|
27 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46458 |
2020-09-18 13:23
|
INV_OHB_090120_HUP_091820.doc e1be29a8796394531172cd0ca910f6b2 Vulnerability VirusTotal Malware Malicious Traffic unpack itself Tofsee Windows DNS |
2
http://71.72.196.159/rvOiOjkA5SZKeecSaWK/XBVWz/ http://carolinacanullo.com/js/hllPT/
|
3
203.195.224.199 204.11.59.195 71.72.196.159
|
6
ET POLICY Terse Named Filename EXE Download - Possibly Hostile ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET INFO EXE - Served Attached HTTP ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.4 |
|
27 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46459 |
2020-09-18 10:22
|
http://edunara.kr/ 9236c5c9937e3bd6703f7bbc3a50fb9c Code Injection Creates executable files unpack itself Windows utilities malicious URLs Windows DNS |
9
http://edunara.kr/px.js?ch=2 http://ww1.trhzc.c/adclk?&gm=vaNn80x%2Fdo31FZjhNtfravm6Us2DZWpE%2BxcxZGQKC4uCH98mUI5hpzBdrDrUWLwGqBgvLltKRwbSAJmNjloVj8jXsONUXPw1fOxTHASrE3ITd3gemfIh1O6T2eU90D4wXSjleUdAp25HX016RCVcbjHZS7VlkDxUO%2FwwUeKH0mbC8kO2Z5OyPBDR58zvMzwStPX85Ag3g29YqEaTEi24P9FmXDg%2F17hmeaZAxqAA7iwABCYeu0HZm9enRFBJvkMKxU9nlEmuFWkPym6ovMyrpZiZibgQB5uS2aVYCOBOsWE%2Bp61PSigc0fDGhDWZ%2Fs%2F%2B1Ojnoar4FcJRoC9pCHQCjC30Uq9wbLxCYMyp666w18VTCp7bHGFohhML52vpaUDh8i2yWCpMqRdkd0Qpieauc2Pe1DEh9cpJqHl6XeQvroqKU0EzcTQiW2oz8rlw4NTxoccZ4IwKSSvjQMOYx%2F%2BYPsFbNq1vh%2BSskZIs2QB04zpwH%2FzDmQ0YyEeZR6G2sq7F0SwjSBoDHMGrxR3USvWt2TL0qcKgE6F5FNoHa94W%2BIR3Iqsu8UIhL61s6fKbpuWD7ezpuw5x4hnJYnIuH1zb2cW78jxpaj52zQS%2Bbh8SxLQihXCDwKzAKHk2UQz7h0V%2Fo6t1qEhXBH87bJM%2F7fSS88mnZ9O1zckVnERyRch6ybxJwukyUacx8bE80o8o%2BMOOdi2lfbaqeG5Po%2Bg8iU9wGhfM6PtqfzTjf899dPg0XnC2Th2hwrUOcdZ1ZbIDmIaL6rkq1Q1H9JfqDLlTKYDWoLCDgnPGgJdJbDN%2F3GVb4x8NvJXClwywd%2BtPbV2CL%2BJcadrfG505iB5%2F8vxt00W7lHEk4scl8Zw6rM1XR%2B0h4Zf8KvddQyJCtak%2FZlvIV8NLWoGildHhc7F2k8ypV1uzq%2F%2BKJEfXeyQXAi7VFDMZCgQ0o0vkqogrBn%2B4g2COmTKfVjXV%2Fl2TUtRyWJuCMzR6xldJkE3hD4nCFvwmvFKiF6GzNSPYNsiLn2TWbPbYPvgoGlQjSV6ECwRssTxkdqVKzTZoUDK71KZXy4MOIuVOGkY9IhT0%2FEYlqxTyve9Wwc9mWEyUbSX%2B3Xed%2Fj3ox4DUF67aGafIaDEMtDJVuQhfnpHOKAFpBX0B9gZ7AlDLpsUEFQAMaqMl1usqnPO0AD%2Fdg8WZ30YRnnvFOHx2mAJYglSOD4LBDPgmMWDa%2FHWTh68ZMFl3p0XU4X4YLfatLMFBh%2BECzNGF29JvxjuwS6WHfIcp2zRKGkqG8ELqceIDPgrFHcEQYzTZhFuGBJe2HPajap0ulPx3U4OenbCDanHGMjx5Jupt%2Fcw6LxdQl7m5fcW8JCVpoFQ6TBfpVTJfmFjjD5grqsWbzrmOSj974wDbBjIrn5Rymmgt56rxHC73vGdMNdYwV81bUsBgqBWwOP5M%2FGyS4UwynOWtUpQbsBcbE9O%2FEsPHV9JgUd%2F0pzXW2NBcCu4y2SlZAgsKVd0ynXtYCItBJmXCcNdGbvcdpWXy2wD3E4Nmfz9LPD2Q83%2FXxeNmumMC12WRnmQrLAd1ikddGfuyI7lgbxRqPW4l%2BFQmBaWJO2kKiuKe1kPehEn%2FDuje0aWBpRoHq%2FVSfNy9Ei4m7P0mpFuDcxDsOI3tu7PG6wk%3D&gc=11173479376031803831482&gi=3bMSGjhTdc9fKE%2FnmVnRAMkKL3e0lY6DmvABNOPoR5Za6gnOdjwTZ5cQlMmSerRhSCA%2B4w4DOLOcTrm6304YOdHoel9CQ1k007Sc0cJpq%2BW8Dy90Q9c%2F2s2FFIremh8v2qse4uYepSGh%2FUXbhBf9Dke81Fbh9oZQiY2KLwKt8u6IBGF0M6jPavWTi7RPIAbbaISnexyu4pUfyEEY96TSI3dSx%2Bh0vxavVEzoxrnlkKT79ya8lE1EVreMyiEbQIo2d8BUqbsCoaUVa2x48j4%2BA2mw4iwvpu6yz2aSv4wHMROqNDGg8lBJPUTdHz7F%2BcTm6syrrUT93EYGXYCzwCnddnYn6Fv87%2FMsl8EyjUAVscj7BPwZpqrfbgcnsNCtGKT8AwaQOhsFRZjiouaAU%2FvOB%2FV1Um82jkwwbj67T0523wqo0XN9Nhv3%2B1rDQ1ROaqrCuonhMsSZ60MdOMxQKaPNTarV0ZzsVLsmOnFvqS63%2FraBgr1fvpprM%2FfPIFHtbJnV%2F0IluMQSZk6sEDQT0CnB8v5lR%2BWvX9BKavUk7PiVTZqRkBA3JrA2gj4ewcWjRLXQyErquVIMO8pDABMP1DLhAg%3D%3D&kgp=0&jccheck=1&jccheck=1 http:///zcvisitor/14060bca-f94d-11ea-a63b-0acfd00d957b?campaignid=082dbb60-c1ce-11ea-88e6-0a06ea97c507 http://usa.llyr-iap.com/zcredirect?visitid=14060bca-f94d-11ea-a63b-0acfd00d957b&type=js&browserWidth=1020&browserHeight=613&iframeDetected=false http:///aS/feedclick?s=Ilxxar-4JDjHYSZnQRV0rUoLXZk8gkPQVyQZ7AkEgAut3Q5wgRfquehZ1ZnUncqkY_iD5bFykKi_84eTTfdYjvJhYB0lhN02w7bvw4bnd-W8d-dbpRP5jdpPFz6d4P_3D254tbPpb_TRVdk4QngqGsShisdnfdTCiW2sb-v18WBg-SXEZSPlMJn6Jvp2Nfesx2TtDlUaXFKLvbHD1XYExmN03MC45aGs8oitFKR9GdWa20aLD4elENbdf_IOAZTpNzlhoSpswNmz-NEnlQU9hsUrAAWCWiKnxLb8Df9q_tEJJpwPSDe_NtFkWe1i_53OQaB_RB-OGToh6s0pPikYOx4dSrPRA6suNNn_LYBrRyl6EARZVFALDets3_98TNRM2OdfWpRdg1PJmtu8aic4042H609E5Mmi5zA4AmCsP81uVSjm6oMtlHvMhE4DHRNu5e_8hS45gi5-vuNcVk4zWFYswVREENmebaE5HD1-s1EQH8BBZh7rR04Uv82HbD9Oe7juwzwogxlv5hOlOunMKmjNLMMTZIlumF1VVH9EDxXdm6pB7cakD-4K2qfdnF8mP6jwiJj3aC8QfEtsqylpeR_XmSrVP1iYW8owlqR8oq7GIgzU-ndWzQeXD0GlNw7NQOcptr00RgDwgnsPwe0EA6XNk1nboqvvt08uQTTV3Vi4nHnHl7t2xWXS4vz3AC4dh_Tdr8JrvoOte1VWtwz0kcFiVhddv73nqyTUF5uPVoecwZisq2NEw3bqneWx7ruLRUWvGae3tpF41lxTkQPO59Z2fAdhoBtgwnAFupUdPfu8RdRni3Y9hrkEXH2fD04C307vLP3VrHtue9HG9BJ2DjsxELDaIN5e4gzBP2CeSjmJxO-iyWjf4x_PS3pWgypIWUbChny-Q2BgGLknnuiD1yqjnj07vDZpOzEQsNog3l5BMt4V4cbe0NpWefNPhNVxqDomzNDto1_zOE234TsqeuDeLy5FGor1bMEPb8DIZephrepC-c5siy2eHpxQVfMxGdxEzl6WRErz-SJtaiVGfT1WTVFjPu73LCUleHfIBE04G-vv3w44PGWCXHzsP1Zm-SNCwjFAvHiMrmojSri2qyU7ugF2M-yuDTF8nTyMvAgGdIs0ipqA2DpLAmwBmSDbNZWLazcZZv6uvWDm3ZjdvdUHwoc48Uya_MghINXZ2dP0NatE1cnb9Q5RUDuR6cw8GCxP4_jDbLeqTtGge7u4s3qlIZT6kkNyrqQt3trz2AX0ZXYWqs5-6SYNb-iWwdA0 http://edunara.kr/ http://edunara.kr/px.js?ch=1 http://b.rmgserving.com/rmgjsc/zcFilters.js?1 http://edunara.kr/?ga=VDcN2s1hQH8MI5O7mMQ3FjhtgAz5exmV80lk81lmq%2FcTYH3lfRtOh0RZCWexV9Lvcz%2FlDFNc8WCOpv3XATdfHjnsoCW0CgPnIoo8w6iGWQcnk1wvKlVq5QnXIp4xSZIG2lGGc0Yi8HsG3XkpaKuzAQXg0KiMR%2Bzv2N9PqtN4DHA%3D&gerf=keOgbftnJcS5WR4gs86NWwR3WHbSXL6SPDTMFJhMJI4%3D&guro=Cp8OT0moDM6RefezILqbI%2FdaFE%2F5jBx6sW83UgiFlKBi3Xc1LOCUrag%2BclnThL%2Fv&
|
5
121.254.136.24 141.8.224.25 173.192.101.24 208.73.211.165 54.225.132.253
|
|
|
3.6 |
|
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46460 |
2020-09-18 10:21
|
8xDprwp7V3FKb0v.exe 5cc6c157fc05d45204a6664d97b1e8ed VirusTotal Malware Malicious Traffic RWX flags setting unpack itself malicious URLs sandbox evasion Windows Advertising ComputerName Remote Code Execution DNS Cryptographic key |
1
http://38.88.126.202:8080/QZEAMl2WT2T/nvSjAODEm3XuU/
|
3
38.88.126.202 51.38.124.206 91.105.94.200
|
|
|
7.4 |
|
8 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46461 |
2020-09-18 10:00
|
22xVW0v.exe 36bc7cd40eb0d9563621bc3afc834dd8 Malware Malicious Traffic RWX flags setting unpack itself malicious URLs sandbox evasion Windows Advertising ComputerName Remote Code Execution DNS Cryptographic key |
1
http://5.189.168.53:8080/UoBc0sXE7hvMKlY/XKnKe2SRr9ndMN/Sm9aKk/hmeghhelJOk1mRUqY/8qwsE5c7eF/UqxUkyfaKVrBRTp/
|
2
190.192.39.136 5.189.168.53
|
|
|
7.2 |
|
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46462 |
2020-09-18 09:43
|
testest.exe a16782a5ea9ab3ad0e71e61db261f550 Browser Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Check memory Checks debugger unpack itself Check virtual network interfaces malicious URLs Tofsee Ransomware Windows Browser Tor Email ComputerName DNS Cryptographic key crashed keylogger |
|
1
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.8 |
M |
48 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46463 |
2020-09-18 09:43
|
tel.exe 0b52424adb115b1336d084cf0cfbb73e Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger unpack itself Windows utilities Check virtual network interfaces malicious URLs AntiVM_Disk VM Disk Size Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed |
2
http://checkip.dyndns.org/ http://checkip.dyndns.org/ https://freegeoip.app/xml/175.208.134.150 https://freegeoip.app/xml/175.208.134.150 https://freegeoip.app/xml/175.208.134.150
|
4
104.28.4.151 131.186.113.70 149.154.167.220 216.146.43.71
|
5
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY External IP Lookup - checkip.dyndns.org ET POLICY DynDNS CheckIp External IP Address Server Response ET INFO TLS Handshake Failure
|
|
10.2 |
M |
51 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46464 |
2020-09-18 09:26
|
Et9TKtRVeJOssH1zKCDX.exe 789178461b2d4a00b3cc78cab36c6669 Malware Malicious Traffic RWX flags setting unpack itself malicious URLs sandbox evasion Windows Advertising ComputerName Remote Code Execution DNS Cryptographic key |
1
http://38.88.126.202:8080/bxWb/J7hS3/J284OPI00GuAjv3e/2l4MNRECeng/iJ0zHnIdXWWSlB0/
|
3
38.88.126.202 51.38.124.206 91.105.94.200
|
|
|
7.0 |
|
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46465 |
2020-09-18 09:15
|
DOC_QSU_090120_CCC_091820.doc f8473dc3fcda21407659420512f2f347 Vulnerability VirusTotal Malware Malicious Traffic unpack itself Tofsee Windows DNS |
2
http://carolinacanullo.com/js/hllPT/ http://71.72.196.159/G2bGreKGpkKf4R9vnbE/OXHPKAKL/VdGApd88fdIt/cxdYCgs/gAgKLoXGWvE5CyK7xo/kHRUq/
|
3
203.195.224.199 204.11.59.195 71.72.196.159
|
5
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET INFO EXE - Served Attached HTTP ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
|
4.4 |
|
20 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46466 |
2020-09-18 09:14
|
19796066164507054740687.doc f8473dc3fcda21407659420512f2f347 Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Tofsee Windows DNS |
2
http://71.72.196.159/g8HwGzlJGmUJv2vA/ymTfP5sL/lrgXuwwDqDDVfVg0/uIwL5/oT0WeoB6dh7nR4EcS/ http://carolinacanullo.com/js/hllPT/
|
3
203.195.224.199 204.11.59.195 71.72.196.159
|
5
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET INFO EXE - Served Attached HTTP ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
|
5.2 |
|
20 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46467 |
2020-09-18 08:02
|
http://blog.penmman.com/wp-con... 6f34b1d69e321a9e7732d2c6f89cb9f5 VirusTotal Malware AutoRuns Code Injection Malicious Traffic Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Auto service malicious URLs AntiVM_Disk sandbox evasion VM Disk Size Check human activity check Windows Exploit Advertising ComputerName DNS Cryptographic key crashed |
3
http://134.209.36.254:8080/nQVwnK5kipQq3M/ http://blog.penmman.com/wp-content/uploads/1ECbn9K/ http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml
|
4
117.18.232.200 13.235.119.142 134.209.36.254 71.72.196.159
|
4
ET POLICY Terse Named Filename EXE Download - Possibly Hostile ET POLICY PE EXE or DLL Windows file download HTTP ET INFO EXE - Served Attached HTTP ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
|
12.6 |
|
9 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46468 |
2020-09-17 18:42
|
vnCCABpwYPRX4baP.exe ce34c7cdcab98f7079871c93c60f5c52 VirusTotal Malware Malicious Traffic RWX flags setting unpack itself malicious URLs sandbox evasion Windows Advertising ComputerName Remote Code Execution DNS Cryptographic key |
1
http://74.219.172.26/63AF/J0jZ8vawc7jMRA/wSFU6dnZEeAgbeD0/
|
1
|
|
|
6.6 |
|
22 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46469 |
2020-09-17 18:38
|
invoice_233131.doc a91fa70c30ad0a8f44690103b7eae994 LokiBot Malware download VirusTotal Malware c&c Malicious Traffic exploit crash unpack itself Windows Exploit DNS crashed Downloader |
2
http://babaseoa.com/cartel/five/fre.php http://babaseoa.com/cartel/five/fre.php http://tsdyshgshgnationalobjindustrialat21mpq.duckdns.org/shengdoc/vbc.exe
|
2
103.141.138.130 185.209.1.124
|
12
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET POLICY PE EXE or DLL Windows file download HTTP ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET MALWARE LokiBot Fake 404 Response
|
|
4.8 |
|
24 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46470 |
2020-09-17 18:38
|
Attachments-3370623.doc 80ed1babd3eb82afe06707e642356179 Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Windows DNS |
2
http://38.88.126.202:8080/MticMlegzsdrKOIyKAc/XxGbS/MGxeY2p6BFneM0U3/V6Rf7nWA5zS/jVyW6zlg/tcoNq0jCI/ http://localesfavoritos.com/wp-admin/c/
|
5
174.113.69.136 217.61.130.34 38.88.126.202 51.38.124.206 82.196.15.205
|
3
ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET INFO EXE - Served Attached HTTP
|
|
6.8 |
|
20 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|